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Abstract 

Covert channel techniques are used by attackers to transfer data in 
a way prohibited by the security policy. There are two main categories 
of covert channels: timing channels and storage channels. This paper 
introduces a new storage channel technique called protocol channels. A 
protocol channel switches one of at least two protocols to send a bit com- 
bination to a destination. The main goal of a protocol channel is that 
packets containing covert information look equal to all other packets of 
the system what makes a protocol channel hard to detect. 
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Protocol Channels 

For attackers, it is usual to transfer different kinds of hidden information trough hacked 
or public networks. The solution for this task can be to use a network covert channel 
technique like they are well known since many years. There are currently two differ- 
ent main types of covert channels, so called storage channels (which include hidden 
information in attributes of transfered network packets) and timing channels (which 
make use of the timings of sent packets to transfer hidden information) [Owens02] . 

A new storage channel technique called a "protocol channel" includes hidden in- 
formation only in the header part of protocols that specify an incapsulated protocol 
(e.g. the field "Ether Type" in Ethernet, the "Protocol" value in PPP, the "Next 
Header" value in IPv6 or the source/destination port of TCP and UDP). For instance, 
if a protocol channel would use the two protocols ICMP and ARP, while ICMP means 
that a bit was transfered and ARP means that a 1 bit was transfered, then the packet 
combination sent to transfer the bit combination "0011" would be ICMP, ICMP, ARP, 
ARP. A protocol channel must not contain any other information that identifies the 
channel. It is also important that a protocol channel only uses usual protocols of 
the given network. An algorithm to identify such usual protocols for adaptive covert 
channels (protocol hopping covert channels) was introduced by [YADALI08]. 

The higher the number of available protocols for a protocol channel is, the higher 
amount of information can be transfered within one packet since more states are 
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available. Given the above example, 2 different states are available, what represents 1 
bit. If the attacker could use 4 different protocols, a packet would represent 2 bits. 

This does not allow high covert channel transfer rates but is enough to transfer 
sniffed passwords or other tiny information. Specially if the attacker uses some com- 
pressing algorithm (like modifing ASCII texts he converts to a 6 bit representation of 
the most printable characters), the need for a high transfer rate decreases. The proof 
of concept code "pet" uses a minimalized 5 bit ASCII encoding and a 6th bit as a 
parity bit. 

Problems 

Since a protocol channel only contains one or two (usualy not more) bits of hidden 
information per packet, it is not possibly to include reliability information (like an 
ACK flag or a sequence number). If a normal packet that not belongs to the protocol 
channel would be accepted by the receiver of a protocol channel, the whole channel 
would become desyncronized. It is not possibly to identify packets which (not) belong 
to the protocol channel if they use one of the protocols the protocol channel uses. 

Another problem is the defragmentation as well as the loss of packets. If a packet 
was defragmented, the receiver would receive it two times what means that the bit 
combination would be used two times and the receiver-side bit combination would be 
destroyed. The channel would end up desyncronized in this case too. The receiver 
could check for packets that include the "More Fragments" flag of IPv4 as a solution 
for this problem. Lost packets create a hole in the bit combination what results in the 
same desyncronization problem. 

Conclusion 

Protocol channels provide attackers a new way to send hidden information through 
networks. Even if a detection by network security monitoring systems is possible - 
e.g. because of unusual protocols used by the attacker - a regeneration of the hidden 
data is as good as impossible since it would need information about the transfered 
data type, the way the sent protocol combinations are interpreted (e.g. big-endian or 
little-endian) and a recording of all sent packets to make a regeneration possible. 
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